Application of Speelman etal. 
Attorney Docket No. 72167.000555 

Amendments to the Claims: 

Claims 1 and 16 are amended herewith. Claims 2, 6-9, 17 and 18 are cancelled. Accordingly, 
claims 1, 3, 4, 5 and 10-16 are presently pending. 

1) (Presently Amended) A method for determining compliance with organizational 
business policies associated with a business risk, said method comprising: 

a. a computer receiving a user selection of a business risk element from a 
business risk element list which is displayed to the user, said business risk 
element list being retrieved from a database coupled to said computer; 

b. in response to the selection of said business risk element,, the computer 
retrieving one or more predetermined control procedures, the control 
procedures identified by an administrator as a means for complying with 
business policies associated with said selected business risk element; 

c. the computer associating said one or more predetermined control 
procedures with said selected business risk element, said predetermined 
control procedures being stored in said database; 

d. in response to the retrieving of the control procedures, the computer 
retrieving a weight assigned to each one of said predetermined control 
procedures, said weight being stored in said database; 

e. the computer receiving a user selection of a compliance rating for each 
said predetermined control procedure, the rating selected by the user 
indicating a level of compliance with each one of said predetermined 
control procedures, for each of said predetermined control procedures the 
level of compliance is a subjective rating selected from a rigid set of 
compliance ratings, the same set of compliance ratings is available for 
each of said predetermined control procedures , wherein said compliance 
ratings comprise at least one rating identifying a non-frillv compliant 
control procedure : and 
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f. the computer calculating a compliance score, said compliance score being 
a function of said assigned weights and said compliance rating of said 
predetermined control procedures[[.]]; 

g. for each said control procedure having a non-fullv compliant rating, the 
computer receiving a user generated signal indicating whether said non- 
fullv compliant rating is accepted or not accepted: and 

h. for each said non-fullv compliant control procedure which is indicated as 
not accepted, requiring the user to provide signals for generating an action 
plan. 

2) (Cancelled) 

3) (Presently Amended) The method of claim 1 2 wherein said action plan include a 
target date, said method further comprising the step of the computer calculating an expected 
compliance score for one or more future dates based on said action plan target dates. 

4) (Previously Amended) The method of claim 3 further comprising the step of the 
computer tracking whether said expected compliance scores have been met, said tracking 
including calculating actual compliance scores for said target dates. 

5) (Previously Amended) The method of claim 4 further comprising the step of the 
computer displaying said expected compliance scores versus said actual compliance for said 
target dates. 

6) (Cancelled) 

7) (Cancelled) 

8) (Cancelled) 
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9) (Cancelled) 

10) (Previously Amended) A method for determining compliance with organizational 
business policies associated with a business risk, said method comprising: 

a. a computer receiving a user selection of a business risk element from a 
business risk element list which is displayed to a user on a display 
terminal of the computer, said business risk element list being retrieved 
from a database coupled to said computer; 

b. in response to the selection of said business risk element, the computer 
identifying one or more subrisk elements associated with said business 
risk element, each said subrisk element being retrieved from said database; 

c. for at least one subrisk element, the computer retrieving one or more 
predetermined control procedures, the control procedures identified by an 
administrator as a means for complying with business policies associated 
with said identified subrisk element; 

d. the computer associating said one or more control procedures with said 
subrisk element, said control procedures being stored in said database; 

e. the computer retrieving a weight assigned to each one of said 
predetermined control procedures, said weight being stored in said 
database; 

f the computer receiving a user selection of a compliance rating for each 
said predetermined control procedure, each said compliance rating is a 
subjective rating selected from a rigid predetermined set of compliance 
ratings, the same set of compliance ratings is available for each of said 
predetermined control procedures including at least one rating indicating 
said control procedure is not fully compliant; 

g. the computer calculating a compliance score, said compliance score being 
a fiinction of said assigned weights and said compliance rating of said 
control procedures; 
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h. for each said subrisk, the computer determining whether at least one 
control procedure associated with said subrisk is not fully compliant; 

i. for each said subrisk associated with at least one control procedure which 
is not fully compliant, the computer receiving a signal from the user 
indicating whether said subrisk should be accepted or not accepted; and 

j. for each said subrisk which is indicated as not accepted, the computer 
generating an action plan. 

1 1) (Previously Amended) The method of claim 10 wherein said action plan further 
includes a target date, said method further comprising the step of the computer calculating a 
future compliance score based on said action plan target dates. 

12) (Previously Amended) The method of claim 10 further comprising the step of the 
computer associating one or more parameters with each said compliance rating. 

13) (Previously Amended) The method of claim 12 further comprising the step of the 
computer sorting said compliance ratings and displaying said sorted ratings. 

14) (Previously Amended) A method of forecasting compliance with organizational 
business policies associated with a business risk with the aid of a computer system, said method 
comprising: 

a. the computer identifying a set of business risk elements, said business risk 
elements being stored in a database coupled to said computer; 

b. for at least one of said business risk elements, the computer retrieving one 
or more predetermined control procedures, the control procedures 
identified by an administrator as a means for complying with business 
policies associated with said business risk element; 

c. the computer associating said one or more control procedures with said 
business risk element; 
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d. the computer retrieving a weight assigned to each one of said 
predetermined control procedures, said weight being stored in said 
database; 

e. the computer receiving a user selection of a compliance rating for each 
said predetermined control procedure, said compliance ratings are 
subjective ratings chosen from a predetermined rigid set of ratings over a 
uniform range, the same set of compliance ratings is available for each of 
said predetermined control procedures, including at least one rating 
identifying a non-fuUy compliant control procedure and at least one rating 
identifying fully compliant control procedures; 

f . for each said control procedure having a non-fuUy compliant rating, the 
user employing the computer to generate an action plan, said action plan 
including a target date for at least one action listed therein; and 

g. the computer calculating an expected compliance score for a future date, 
said expected compliance score being a function of said assigned weights, 
said fully compliant control procedures, and said action plan target dates 
for said non-fixlly compliant control procedures. 

15) (Original) The method of claim 14 wherein said action plan comprises a signal 
indicating whether said non-fuUy compliant rating is accepted or not accepted, said expected 
compliance score further being a function of said non-fuUy compliant ratings which have been 
accepted. 

16) (Presently Amended) A data processing system for determining compliance 
with organizational business policies associated with a business risk, said system comprising: 

a. a database; 

b. a processor coupled to said database, said processor being programmed 
to perform the steps comprising: 

i. the computer receiving a first signal identifying a user selection of a set 
of business risk elements from a business risk element list which is 
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displayed to a user, said business risk elements being stored in said 
database; 

ii. the computer receiving a second signal identifying a user selection of 
one or more control procedures associated with each said business risk 
element, said control procedure comprising a means for complying 
with business policies associated with said risk elements, said control 
procedures being stored in said database; 

iii. the computer receiving a third signal assigning a weight to each said 
control procedure, said weight being stored said database; 

iv. the computer receiving a fourth signal identifying a user selection of a 
compliance rating foir each said control procedure, for each of said 
predetermined control procedures the compliance rating is selected 
from a rigid set of compliance ratings, the same set of compliance 
ratings is available for each of said predetermined control procedures^ 
wherein said compliance ratings comprise at least one rating identifying a 
non-fuUv compliant control procedure ; 

V. the computer calculating a compliance score, said compliance score 
being a function of said assigned weights and said compliance rating of 
said control procedures[[.]]i 

vi. for each said control procedure having a non-fullv compliant rating, the 
computer receiving a signal indicating whether said non-flxlly compliant 
rating is accepted or not accepted: 

vii. for each said non-fullv compliant control procedure which is indicated as 
not accepted, the computer receiving an action plan, said action plan 
including an expected target date for implementation and an expected 
compliance rating: and 

viii. the computer generating one or more future expected compliance scores, 
said compliance scores being a function of said target dates, said assigned 
weights and said expected compliance rating of said control procedures. 
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(Cancelled) 



(Cancelled) 
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